PowerShell is being used to create or execute binary files or scripts, which may indicate an adversary dropping malicious payloads to establish persistence or execute malicious code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential initial compromise vectors early in the attack lifecycle.
Detection Rule
title: Potential Binary Or Script Dropper Via PowerShell
id: 7047d730-036f-4f40-b9d8-1c63e36d5e62
status: test
description: Detects PowerShell creating a binary executable or a script file.
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-17
modified: 2025-07-04
tags:
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
TargetFilename|endswith:
- '.bat'
- '.chm'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.jar'
- '.js'
- '.ocx'
- '.scr'
- '.sys'
- '.vbe'
- '.vbs'
- '.wsf'
filter_main_user_temp:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_main_other_temp:
# Example: C:\Windows\Temp\0DA9758B-4649-4969-9409-5CBDF193FB53\TransmogProvider.dll
TargetFilename|startswith:
- 'C:\Windows\Temp\'
- 'C:\Windows\SystemTemp\'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_main_powershell_module:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\WindowsPowerShell\Modules\' # C:\Users\xxxx\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.12\lib\net47\PowerShellYamlSerializer.dll
TargetFilename|endswith: '.dll'
filter_main_nuget:
TargetFilename|startswith: 'C:\Program Files\PackageManagement\ProviderAssemblies\nuget\'
TargetFilename|endswith: '\Microsoft.PackageManagement.NuGetProvider.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
level: medium
imFileEvent
| where ((TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\powershell_ise.exe" or TargetFilePath endswith "\\pwsh.exe") and (TargetFileName endswith ".bat" or TargetFileName endswith ".chm" or TargetFileName endswith ".cmd" or TargetFileName endswith ".com" or TargetFileName endswith ".dll" or TargetFileName endswith ".exe" or TargetFileName endswith ".hta" or TargetFileName endswith ".jar" or TargetFileName endswith ".js" or TargetFileName endswith ".ocx" or TargetFileName endswith ".scr" or TargetFileName endswith ".sys" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs" or TargetFileName endswith ".wsf")) and (not(((TargetFileName startswith "C:\\Users\\" and TargetFileName contains "\\AppData\\Local\\Temp\\" and (TargetFileName endswith ".dll" or TargetFileName endswith ".exe")) or ((TargetFileName startswith "C:\\Windows\\Temp\\" or TargetFileName startswith "C:\\Windows\\SystemTemp\\") and (TargetFileName endswith ".dll" or TargetFileName endswith ".exe")) or (TargetFileName startswith "C:\\Users\\" and TargetFileName contains "\\WindowsPowerShell\\Modules\\" and TargetFileName endswith ".dll") or (TargetFileName startswith "C:\\Program Files\\PackageManagement\\ProviderAssemblies\\nuget\\" and TargetFileName endswith "\\Microsoft.PackageManagement.NuGetProvider.dll"))))Scenario: Scheduled Job Running a Legitimate Script
Description: A scheduled job is configured to run a legitimate PowerShell script (e.g., Backup-System.ps1) that creates a temporary script file as part of its execution.
Filter/Exclusion: Exclude files created by known system or user scripts (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\*.ps1), or use a filter based on the script’s hash or source path.
Scenario: Admin Performing a Script Deployment
Description: An administrator is deploying a new PowerShell script to a group of machines using a tool like PowerShell Desired State Configuration (DSC) or Group Policy Preferences.
Filter/Exclusion: Exclude files created in known deployment directories (e.g., C:\Windows\Temp\, C:\ProgramData\Microsoft\Windows\PowerShell\) or use a filter based on the user context (e.g., User = "Administrator").
Scenario: Binary Extraction for Debugging or Analysis
Description: A security analyst is using a tool like Process Monitor or Wireshark to capture and save a binary file for analysis, which is then processed via PowerShell.
Filter/Exclusion: Exclude files created in analysis directories (e.g., C:\Analysis\, C:\Temp\) or use a filter based on the process name (e.g., Process = "ProcessMonitor.exe").
Scenario: Script File Creation for Automation Tasks
Description: A user is creating a script file (e.g., generate_report.ps1) as part of an automation task using PowerShell ISE or Visual Studio Code.
Filter/Exclusion: Exclude files created in user-specific script directories (e.g., `C:\Users*\